{
  "threat_severity" : "Important",
  "public_date" : "2019-07-11T00:00:00Z",
  "bugzilla" : {
    "description" : "spring-security-core: mishandling of user passwords allows logging in with a password of NULL",
    "id" : "1728993",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1728993"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-305",
  "details" : [ "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\".", "A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of \"null.\"" ],
  "statement" : "Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.6.0",
    "release_date" : "2020-03-26T00:00:00Z",
    "advisory" : "RHSA-2020:0983",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "spring-security-core",
    "impact" : "moderate"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "spring-security-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:14"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-11272\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11272\nhttps://pivotal.io/security/cve-2019-11272" ],
  "name" : "CVE-2019-11272",
  "csaw" : false
}